[Freeipa-devel] [freeipa PR#758][opened] install: fix CA-less PKINIT

Discussion:

HonzaCholasta

2017-05-03 13:26:31 UTC

URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
Title: #758: install: fix CA-less PKINIT
Action: opened

PR body:
"""
**certdb: add named trust flag constants**

Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

**certdb, certs: make trust flags argument mandatory**

Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.

**certdb: use custom object for trust flags**

Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.

**install: trust IPA CA for PKINIT**

Trust IPA CA to issue PKINIT KDC and client authentication certificates in
the IPA certificate store.

**client install: fix client PKINIT configuration**

Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.

Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.

Make sure both bundles are exported in all installation code paths.

**server install: fix KDC PKINIT configuration**

Make sure `cacert.pem` contains only certificates of CAs trusted to issue
PKINIT client certificates and is exported in all installation code paths.

Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.

Use the KDC certificate itself as a PKINIT anchor in `login_password`.

**certs: do not export CA certs in install_pem_from_p12**

This fixes `kdc.crt` containing the full chain rather than just the KDC
certificate in CA-less server install.

**server install: fix KDC certificate validation in CA-less**

Verify that the provided certificate has the extended key usage and subject
alternative name required for KDC.

**cacert manage: support PKINIT**

Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
and/or client certificates.

**server certinstall: support PKINIT**

Allow replacing the KDC certificate.

https://pagure.io/freeipa/issue/6831
https://pagure.io/freeipa/issue/6869
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758

stlaz

2017-05-09 08:28:43 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

stlaz commented:
"""
External CA (rebased on current master to be able to install):
```
$ kinit -n
kinit: Invalid certificate while getting initial credentials
$ /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_9588 -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem
kinit: Invalid certificate while getting initial credentials
```
and on replica:
```
$ kinit -n
kinit: Preauthentication failed while getting initial credentials
```
=> this breaks WebUI on external CA installations.

=================================
CA-less with `--no-pkinit`:
```
$ kinit -n
kinit: Preauthentication failed while getting initial credentials
```
but I guess that's expected, WebUI works since the following does work as well:
```
$ /usr/bin/kinit -n -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem
```
=================================
In CA-less with PKINIT options, `kinit -n` works fine, although replica installation will produce:
```
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
ipa : ERROR PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE)
ipa : ERROR Failed to configure PKINIT
Done configuring Kerberos KDC (krb5kdc).
```
when run with own PKINIT certificate from `--pkinit-cert-file` option. I don't think it should be asking any CA for a certificate if we already have the certificate.

"""

See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-300097018

HonzaCholasta

2017-05-11 11:56:15 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
Title: #758: install: fix CA-less PKINIT
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758

HonzaCholasta

2017-05-11 11:56:23 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

HonzaCholasta commented:
"""
@stlaz, FTFY. Also fixed wrong permissions on the CA-less KDC key file (props to @dkupka).

The "preauthentication failed" with `--no-pkinit` is expected indeed.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-300767441

stlaz

2017-05-15 08:37:18 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

stlaz commented:
"""
`kinit -n` still fails with my setup. I found out the reason is that I have a self-sign certificate in the trust chain:
```
[36993] 1494834859.113259: PKINIT client could not verify DH reply
[36993] 1494834859.113276: Preauth module pkinit (17) (real) returned: -1765328313/Failed to verify received certificate (depth 2): self signed certificate in certificate chain
kinit: Invalid certificate while getting initial credentials
```
This does not happen without this patchset so the question is whether it is OK that this is happening or not. If so, we should add a check which would prevent this + probably warn our QA team because I guess this is just the way they are testing this,
"""

See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-301411948

stlaz

2017-05-15 08:37:28 UTC

Permalink

stlaz

2017-05-15 08:38:55 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

stlaz commented:
"""
`kinit -n` still fails with my external CA setup. I found out the reason is that I have a self-sign certificate in the trust chain:
```
[36993] 1494834859.113259: PKINIT client could not verify DH reply
[36993] 1494834859.113276: Preauth module pkinit (17) (real) returned: -1765328313/Failed to verify received certificate (depth 2): self signed certificate in certificate chain
kinit: Invalid certificate while getting initial credentials
```
This does not happen without this patchset so the question is whether it is OK that this is happening or not. If so, we should add a check which would prevent this + probably warn our QA team because I guess this is just the way they are testing this,
"""

See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-301411948

HonzaCholasta

2017-05-16 05:35:31 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

HonzaCholasta commented:
"""
@stlaz, this seems to be a bug in kinit. When you have a certificate chain root CA -> intermediate CA -> KDC and want to trust the intermediate CA, but not the root CA, the validation will always fail. This is the case in external CA setup (the external CA is the root CA, IPA CA is the intermediate CA), but I haven't confirmed it without IPA yet.

Without this patchset, both the CA certificates are trusted, which is a bug, but makes kinit work.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-301680152